A Chat with the Makers of Don't Snoop Me Bro, a New Fool-Proof Encryption Tool

This past month, I received a package in the mail containing a small red box, some ethernet cable and a black key. A card accompanied the package in which the red box addressed me, “Hi! I'm a prototype DSMB Tunnel. Put me in your network between your computer and the Internet, and when you turn the key I'll setup an encrypted VPN connection to a server outside the US.” On the back of the card were visual instructions to guide me through the simple installation.

Traditionally, using a VPN, or Virtual Private Network, involves installing a client directly onto your computer. Users generally have to configure the VPN software themselves, which includes settings unfamiliar to someone without a background in networking. It’s by no means impossible for someone with only average computer skills to setup a VPN on their home computer, but it can be challenging, time-consuming and even frustrating. This is the problem DSMB, or Don’t Snoop Me Bro, has decided to tackle.

According to the information included with the package, DSMB’s device is a privacy “appliance” designed to provide individual consumers and small businesses with a simple and fast way to secure their personal information.

The fledgling company isn’t hedging their bets. A team of architects, engineers and electronic technicians have spent the last nine months preparing for this moment. A 30-day campaign on Indiegogo will determine whether there’s a market for a plug-and-play VPN service online or not. Their fundraising goal has been set at $65,000 and DSMB will only receive the funding if they meet their goal by November 5.

Back at my house, I followed the instructions that came with my prototype and plugged the DSMB device into my router. I took the black key, inserted it and turned it to the right. I stepped over to my computer, enabled my internet connection and opened my Firefox. If the VPN service was functioning properly, any website I visit would believe my computer was located somewhere other than my house in Texas. I went to whatismyipaddress.com to check my IP. Sure enough, the site was convinced my computer and I were browsing from Amsterdam.

As I said, there’s a great deal of privacy protection already available to just about anyone, but the theory and application of privacy tools can be complex. Few people have the desire or the time to learn how encryption works. Due to some recent disclosures about one of my country’s intelligence agencies (ixnay on the Nay Say Ayay), I already assumed the public’s interest in guarding their data is at an all-time high, but it wasn’t until I plugged in the DSMB Tunnel that I realized how big of an industry privacy was going to become. Using that little red box was so easy a caveman… well, it was remarkably easy.

From installing the device to getting online, it had taken approximately 90 seconds to set up and use the DSMB Tunnel. I didn't have to install any software, configure a firewall, or worry about blocked ports or transmission protocols. My data was secured and my physical location was seemingly anonymous.

So, why Amsterdam? Well, the answer is freedom. That may sound illogical to anyone who still believes America is the last bastion of liberty in this world, but it's time to set the record straight: No government spends more time and money trying to track the online traffic and communications of their own citizens than the United States.

Simply put, the Dutch government doesn't give a damn what websites you're visiting or who you've been talking to online. Servers containing your data aren't likely to be seized by a SWAT team, which is a frequent occurrence in the United States. Dutch internet service providers aren't required to configure their servers to retain user information. Unlike the United States, there aren't laws that require wiretapping devices to be installed on all telecommunications equipment that allow the government (and whoever else) to intercept your information at will. Under law, Dutch companies can’t even pass on your personal data to third parties, a very profitable practice for many American internet companies, including Facebook and Google.

You may have heard someone say something similar to this: “I'm not doing anything illegal, so I don't care who sees my information online.” This sentiment has been frequently echoed in the media as well. Well, they couldn't be more wrong. Right now, there are millions of people processing financial transactions from mobile devices on unprotected, public networks; they're discussing personal health or medication issues with their physicians; they think they're emailing a message that will only be read by their attorney. Privacy isn't always about hiding some dark secret—it's also about keeping you and your family safe.

Regardless of how it’s accomplished, there is an urgent need for average citizens to implement some form of online privacy protection. The Internet is, after all, a public domain. When you’re sending and receiving information online, your data is being passed along by a series of routers throughout the country, or potentially, overseas. These routers are frequently targeted by hackers with the purpose of collecting your data for malicious reasons, such as accessing your bank account or stealing your identity. By employing the use of a VPN, you can ensure that your data is encrypted as it leaves your home and can only be read by a server of your choosing. Likewise, information you receive is encrypted and unreadable by other devices except your own.

Privacy isn’t just about personal protection, but also economic security. Many online businesses have strict privacy policies and consumers depend on these companies to protect their data. Once the world realised just how broad and intrusive the surveillance practices of the U.S. government really are, several successful Internet companies were forced to shut themselves down. Texas-based secure email provider Lavabit, which had been used by whistleblower Edward Snowden, ceased operations only a few months ago. After an investigation by federal authorities, the front page of Lavabit now displays only a frightening letter from the owner. In part it says, “I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on—the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise.” The last line reads: “I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.”

The award-winning legal website Groklaw also shut down this year, specifically citing government spying as the cause. The service depended on anonymity and the privacy of their communications. According to Pamela Jones, the website's founder, she could no longer claim Groklaw was safe. In an letter to the public, Jones equated her private emails being read to the experience of having her apartment burglarized, “I can't tell how deeply disturbing it is to know that someone, some stranger, has gone through and touched all your underwear, looked at all your photographs of your family, and taken some small piece of jewelry that's been in your family for generations.” She continued, “I feel like that now, knowing that persons I don't know can paw through all my thoughts and hopes and plans in my emails with you.”

To learn more about the DSMB prototype I’m using and what Don't Snoop Me Bro is offering consumers, I called one of their architects, Calvin Domenico, a teacher at the Artisan's Asylum and a former computer science student at Northeastern University.

MOTHERBOARD: Thanks for sending us one of your prototypes. What kind of changes are you going to make to the consumer model?

What you have is a dev-board with some extra hardware thrown together in a laser-cut enclosure. The final device is going to be a single system board with every component built into it, like the key and LED, all built into that main board, in a small housing that's going to be injection molded. Right now it has a 10/100 port on it. We're going to move those up to dual-gigabit connections and we're going to be releasing a variant with WiFi. The consumer model, when we build it, will be smaller, a little bit tighter construction, and basically more professional looking.

So, when I was explaining how this device works to a friend with no security skills whatsoever, he was a little weirded out that all of his traffic was being routed to a server overseas.

The point here is that Internet users are starting not to trust that the infrastructure is benign. Thinking about someone watching your Internet activities is like having a camera in your home going…where? We wanted to give folks a way to reclaim that sense of privacy and that means inhibiting ISPs (who know your name and where you live) from watching what’s in all the packets and anonymizing the packets when they become unencrypted. To do that, you need to tunnel the traffic to a remote location, where it’s more safe.

We're going to allow selection of the location of the endpoint. The service providers we are looking at now have endpoints in the US as well as Europe, Asia, and South America. The intention is to give the user the ability to control where his traffic goes. A non-US country will be set by default and the final version of the product will have, if you choose to go to it, an internal web-configuration page that, with a single click, allows you to select the location of the endpoint. Basically, we're going to go to the VPN provider and get a full list of available endpoints. You'll just pull up the web page of the device, click one button and change your endpoint.

And, of course, if you don’t want your traffic to go through the tunnel, you just need to turn the key to disable it.

Why is having my data rerouted to a VPN in the Netherlands, for example, better for my privacy?

It has to do with countries that have requirements for logging. For instance, the US, Germany, France, and Britain are all countries that have a requirement that all traffic that goes through an Internet service provider on any level is recorded and tracked. That means that if you're an ISP you actually have to keep access logs and transit logs for everything that happens for a rolling period of time. Whereas, if you look at like the Netherlands or Malaysia, there's no requirement of that so, even if someone were to get a warrant in that country and go to that VPN provider, that VPN provider legally does not have to–and in the case of the VPN providers we're negotiating with right now, we're actually making sure, they do not–keep any active records of any traffic.

Also, we obtain accounts from the service providers and configure them into the boxes. We don’t maintain records of which units go to which customer so there will be no way to associate the activity on a VPN account with the user who owns the box. We will be sealing the Tunnels into opaque packaging so there will be no way for the person packing the shipments to know which particular unit is going to a particular customer. Tunnel owners can purchase account renewal credentials from us (basically a new account) once the service period ends, again handled anonymously. Or, if they choose, they can log into the service provider site and renew their accounts on their own.

How do you vet VPN companies that are overseas to make sure they are reliable and secure?

It's interesting; we're in conversations with a couple right now. It's a matter of their publicly stated policies and their historical track record. We're also doing impromptu network testing to see what they actually have for bandwidth and reliability. We've basically been hammering these company's endpoints just to make sure we're comfortable with the level of performance. And we're working clauses into our negotiations with these companies so that we don't buy a year of service upfront and then have no recourse. They're going to have a requirement of meeting a service-level agreement that we set the standards of and if they don't do it, we'd move our entire client-base. Think about like a strategy for bulk negotiation, where because we have a large enough user base we can actually force the VPN provider to give us the quality of service we're demanding, or we'll move to another provider.

Why did you decide to rely on crowdfunding to get this project off the ground?

We decided to crowdfund this project early in the process. Several of the team members have experience bringing products to market, and we believe there would have been a lot of venture capital available if we went looking for it. But, by crowdfunding the Tunnel, we stay in charge of our decision making process. Not only does it bring money in—and having money means we can get the right tools when we need them—but bringing the money in through Indiegogo gives us a chance to connect with potential buyers directly. That makes us accountable to them at this stage, which is important given that our buyers are trusting us to do what we say we are going to do. It also gives them a chance to influence the product, voice their feedback while their voices have maximum impact.

Does this device give your company access in any way to my network?

I know exactly where you're going with this. These devices have no ability to “call home”. We have no ability for remote access into them. The web configuration is only encoded to serve the local LAN, when the VPN is connected.

We made the joke, all right, let’s enable SSH. Okay, on which side? Well the obvious one, of course! But then we started thinking about it, and one of the perks we are looking at putting in Indiegogo is a power-user mode for the device. The prototype has two key modes, tunnel on or off – but we're looking at a third key-state potentially which would be admin access, it would actually enable SSH on the box itself, so that if you actually know what you're doing and wanted to go in and completely mess with it, because at the end of the day it's a Linux box, go ahead. But, you'll have to turn a physical key to get there.

Where did you get the idea to build the DSMB Tunnel?

So the origin of the project is kind of funny. I had a friend come to me and say, “How can I make a cellphone that can't be traced?” That's how this all started. In the course of that conversation, we were realizing the amount of investment, amount of work, the amount of engineering required. But, in the process of having this conversation it dawned on me that you could reduce the complexity of this problem. When we were talking about doing a cell phone, we were talking about using data-only with a VPN connection, like an Internet walkie-talkie.

And then it dawned on me, if we're doing that and it was really a very easy point to point VPN set up, why wouldn't we just go one step closer to home and say, instead of having a cell phone that was untraceable, put a VPN in front of every house. It was an easy jump to go from very hard to implement signal security to very easy to implement signal security, which is what this box really is. We started on a really difficult problem, but in the process of solving it we found a simpler problem that no one has really solved well here. Either you have the expertise to reflash DD-WRT onto a Linux router and set this all up yourself or you have no idea what we're talking about. That's where the line generally is. You're either on one level of skill or just on the other. And we realized that we could reduce the level of technical skillset to so low that we could hand this out to our families.

I ran this by a couple people in our group the next day. The response I kept getting was, why hasn't anyone done this? Why hasn't anyone made VPN set-up this simple.

What effect, if any, did the recent revelations about NSA spy programs have on this project?

[Laughs] We actually started about three months before that happened. Couldn't have happened at a better time as far as we were concerned. Every single person who knew what we were working on called us laughing. Every one of us has a background in enough of a technical field to know that this was likely to be the case anyways, or is close to someone working in the field, so we were all aware of this. But, when it started to hit the front page, we knew it couldn't have been better timing. I think in a way, we would have had a much harder fight, getting this product recognized, but it proves there is a need for it and now the average person was much more aware of that need. I think the need was always there, but it's much easier to put your finger on the problem now.

Do you think that soon, along with paying their phone and cable bills, Americans are going to start paying a “privacy” bill?

Privacy and the protection of your own civil rights have never been free. It has always cost something, whether it's money, time or effort. If you are not the person acting in defense of your own rights, you're not going to have them. If you are not willing to take steps to make sure that your life, liberty and pursuit of happiness is not protected on your own, no one else is going to guarantee it for you. If it's a $10 a month fee that Americans are paying, but it acknowledges that they believe their privacy is important enough to pay that money, that's people voting with their money. Right? How long do you think it takes before that happens enough that people start paying more attention, because they don't want to have to pay that $10 a month, they don't feel they should have to.

If there came a point in time where this device became completely redundant, because we truly believed out traffic was not being scrutinized, I'd be ecstatic. I'd happily shut the doors of this company.

Do you think solutions to our privacy issues going to start from the code up, rather than trickling down from new legislation in Congress?

Well, the code up forces the issue to be recognized as a valid problem. You can't just ignore it. You put a tool like this in the hands of the public, and then someone has to go and make this device illegal, which it's not in any way right now. But, if they start to make this device illegal, now you're blatantly curtailing civil liberties. I don't have the right to send my traffic wherever I choose? I don't have the right to do what I want with my data? You're making the issue exposed. You're being very clear that, no, you don't have the right to do whatever you want with your personal information.

It forces the issue ahead in a way that I'm really pleased with. Either people are allowed to use the devices and as long as you use them, your privacy is somewhat enhanced, and you've shown that you care about your privacy. Or, you don't have one which acknowledges that if you're aware of the problem and you don't care if the government is viewing what you do, that's your choice to make. But, I want there to be a choice, not just a default.

So, does it come in black?

Yes, if we can beat our fundraising goal, we are planning to roll out some secondary perks, which would include different colors.

Thanks for talking with us Calvin and good luck.

(h/t @GreggHoush)